为什么在 Windows 上将服务作为本地系统运行是不好的?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1730486/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why running a service as Local System is bad on windows?
提问by pointlesspolitics
I am trying to find out the difference between difference service account types. I tumbled upon this question.
我试图找出不同服务帐户类型之间的区别。我突然想到了这个问题。
The answer was because it has powerful access to local resources, and Network Service should be used if possible.
答案是因为它对本地资源有强大的访问能力,如果可能,应该使用网络服务。
But still I am not able to understand that if it has powerful access to local resources, how attacker can access the account? What are the ways to compromise the account? I understood it is all about security, but I don't know how. It could be dark hacker's world, however anybody could explain, in simple terms, why network service account is better than local account ?
但是我仍然无法理解,如果它具有对本地资源的强大访问权限,那么攻击者如何访问该帐户?账号泄露的方法有哪些?我明白这都是关于安全的,但我不知道如何。这可能是黑暗黑客的世界,但是任何人都可以简单地解释为什么网络服务帐户比本地帐户更好?
Thanks in advance.
提前致谢。
回答by Jeff Sternal
Every program you run increases the attack surface of your server.
您运行的每个程序都会增加服务器的攻击面。
You have to assume that a determined, malicious actor can exploit bugs or loopholes in your program to make it do anything. You mitigate that by executing your programs with the least privileges required to do their jobs.
你必须假设一个坚定的恶意行为者可以利用你程序中的错误或漏洞来让它做任何事情。您可以通过以完成工作所需的最低权限执行程序来缓解这种情况。
Some of these exploits include:
其中一些漏洞利用包括:
Luring attacks, in which an attacker tricks your program into executing their code under the program's elevated privileges.
Buffer Overrun Attacks, in which extra data sent to a method is written into adjacent memory, which may be the target of control flow logic.
Man in the Middle attacks, where an attacker falsifies messages to your program.
Often, a given service isn't obviouslyvulnerable to any of these. Running under network service (or another account with reduced permissions) is a 'better safe than sorry' strategy that acknowledges two important facts of software development: programmers are fallible and attackers are inventive.
通常,给定的服务显然不会受到任何这些攻击。在网络服务(或其他权限降低的帐户)下运行是一种“比后悔更安全”的策略,它承认软件开发的两个重要事实:程序员容易犯错,攻击者具有创造性。
回答by ReinstateMonica Larry Osterman
The LocalSystem account is the Windows equivilant of the *nix root account. It's even more privileged than an administrator account. When you run as LocalSystem, you have full access to every resource on the machine.
LocalSystem 帐户是 *nix root 帐户的 Windows equivilant。它甚至比管理员帐户更有特权。当您作为 LocalSystem 运行时,您可以完全访问机器上的每个资源。
As others have written, you should write your code to run with the least possible privileges.
正如其他人所写,您应该编写代码以尽可能少的权限运行。
The primary difference between LocalService and NetworkService is that services running as NetworkService have the ability to authenticate to other machines in the domain (as the machine account I believe).
LocalService 和 NetworkService 之间的主要区别在于,作为 NetworkService 运行的服务能够对域中的其他机器进行身份验证(我认为是机器帐户)。
Please note that the LocalService and NetworkService accounts both have the "Impersonate" privilege which is a potentially dangerous privilege - it allows the service to impersonate the user who is calling into the service. If that user is an administrator, then even though your code is running in a low privileged service, it can do anything that the administrator does. If an attacker can exploit a buffer overflow in your least privilege service, they can hook out the APIs you use to impersonate your caller and wait until a high privileged caller calls into your service. This technique is known as "Token Kidnapping" and the MSRC has a great blog postdescribing the issue (and contains links that describe how to mitigate many of the other risks associated with using LocalService and NetworkService accounts).
请注意,LocalService 和 NetworkService 帐户都具有“模拟”权限,这是一种潜在的危险权限 - 它允许服务模拟调用服务的用户。如果该用户是管理员,那么即使您的代码在低权限服务中运行,它也可以执行管理员所做的任何事情。如果攻击者可以利用您的最低权限服务中的缓冲区溢出,他们可以挂出您用来模拟调用者的 API,并等待高权限调用者调用您的服务。这种技术被称为“令牌绑架”
回答by AnthonyWJones
The Local account has effectively full administrative priviledges on the local machine. Hence any code that might escape from say a buffer overrun and get itself executing has significant scope to do damage.
本地帐户在本地计算机上具有有效的完整管理权限。因此,任何可能逃避缓冲区溢出并使其自身执行的代码都有很大的破坏范围。
On the other hand, the Network Service account has by default only Guest level access to the local system. Hence even if an attacker managed to find way to send and execute code within the service that code would have limited access.
另一方面,默认情况下,网络服务帐户对本地系统只有访客级别的访问权限。因此,即使攻击者设法找到在服务内发送和执行代码的方法,该代码的访问权限也会受到限制。
回答by denisenkom
If your service has a bug, which can allow attacker to execute arbitrary code (like buffer overflow), he can do everything with your computer if service is running under Local System account, which is equivalent to Administrator account. So the lesser priveleged account your service is running, the lesser privilege the attacker can get.
如果您的服务有一个漏洞,可以让攻击者执行任意代码(如缓冲区溢出),如果服务在本地系统帐户(相当于管理员帐户)下运行,他可以对您的计算机做任何事情。因此,您的服务运行的特权帐户越少,攻击者可以获得的特权就越少。
回答by Tomas
The simplest scenario is when the service allows the user of the service to execute some code on command line. For example MS SQL Server has a stored procedure that allows you to run a 'command line' command (i.e. run a program).
最简单的场景是服务允许服务的用户在命令行上执行一些代码。例如,MS SQL Server 有一个存储过程,允许您运行“命令行”命令(即运行程序)。
